[1242] in Kerberos_V5_Development
kadm5_init, acquiring initial credentials
daemon@ATHENA.MIT.EDU (Barry Jaspan)
Tue May 28 17:44:55 1996
Date: Tue, 28 May 96 17:44:17 -0400
From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krbdev@MIT.EDU, jik@cam.ov.com
The kadm5 api is defined such that it always acquires new tickets for
the kadmin service principal every time it is run; thus, like ksu, you
can never run a kadm5 program without typing your password (or without
access to a keytab).
Should the kadm5 api enforce this policy? At OV we decided that we
did not want to allow the risk of an administrator acquiring tickets
then walking away from his desk, so we defined the API to always
acquire its own tickets; we then also made our GUI lock itself after
five minutes of non-use and require the pw to be entered again before
it could be used.
Is this a reasonable amount of annoyance, or should kadm5 just use an
existing krbtgt like any other kerberos application?
Barry
